Friday, 10 May 2013

Autopsy as a Reliable Forensic Tools

In 2008/09, I joined MSc in Forensic Informatics at the University of Strathclyde, UK through the Chevening scholarship funded by the UK government and administered by the British Council. At that moment, most experiments and assignments conducted in the lab used command line tools running in Linux platform, such as dcfldd for forensic imaging, foremost for carving, exiftool for viewing exif data, and so on. One of the tools which were frequently used for forensic analysis was Autopsy created by Brian Carrier. Autopsy which is a forensic browser running in Linux operating system are derived from The Sleuthkit which is a group of command line forensic tools. I can say that Autopsy is a GUI of The Sleuthkit. Autopsy for Linux is version 2.

On 26 March 2013, Brian Carrier issued new version of Autopsy which runs on Windows platform. It is version 3.0.5 with nice GUI. This version does not use browser as a medium to view the results of forensic analysis like Autopsy v2 in Linux. The good news about Autopsy is that it is free of charge which is distributed under a Apache 2 license. For my self and others, I recommend this tool is one of forensic tools used for digital forensic analysis in more details.

Below is the description about Autopsy which is quoted from its website:

Autopsy is a graphical interface to The Sleuth Kit and other analysis tools.
It was designed to be an extensible platform so that it can be an
end-to-end digital forensics solution that incorporates plug-in modules
from both open and closed source projects.

This page describes the concepts of version 3, which is a complete re-write from
version 2. Version 3 currently only runs on Windows. If you perform
digital forensics on a non-Windows system, refer to the
version 2 page.

You can download Autopsy from the Downloads
page and see the full set of features on the Features page.

The following concepts were essential to the design of Autopsy 3:

Extensibility: No single vendor can provide a solution to
every analysis problem and no one knows what analysis techniques will
work best on tomorrow's problems. Autopsy was designed with this in
mind. In several places, it uses frameworks that allow plug-in modules
to be easily inserted. This allows you to customize Autopsy to suit your
analysis needs and extend it with custom or third-party modules.

Ease Of Use: Digital forensics tools should be intuitive and
approachable so that they can be effectively used by non-technical
investigators. Autopsy 3 uses wizards to help the investigator know what
the next step is, uses common navigation techniques to help them find
their results, and tries to automate as much as possible to reduce
errors.

Fast Results: As media grows in size, it takes longer to
analyze all of it. Autopsy tries to give the investigator relevant
information as soon as possible. It analyzes user folders over system
folders. It alerts you to hash set hits as soon as they are found and
you can change the settings to only focus on important things if you
have limited time (i.e. triage).

In order to allow for modules and future extensibility, Autopsy uses a
central SQLite database to store its results.
This database stays small because file content is not stored in it. This
means that you get the benefits have having the data stored in a
database without having to install a database or be a database
administrator. The schema is documented on the wiki. Ingest Modulesanalyze the disk image contents. When the
investigator adds a disk image to the case, he is prompted to enable
and configure the ingest modules (screen shot). The basic version of Autopsy comes with ingest modules for:

These modules are run in parallel. Refer to the wiki
page for the latest list of third-party modules. Developers are
encouraged to write ingest modules because then can then let Autopsy
deal with file access, reporting, and the UI and they can focus on fancy
analysis techniques.

Content viewers allow the examiner to view a single file.
Different viewers display the file in different formats. Examples
include hex, strings, and media (images, video, etc. using gstreamer) (screen shot). Additional viewers can be created to view different file types (such as advanced text analytics or image analysis).

Report modules create the final report. They access the
central database to collect the results from all of the ingest modules.
The basic version of Autopsy comes with an HTML and Excel report format.
You can make other modules to report in custom formats.

Add-on Viewers show data in a more complex way than the three panel design. As an example, the timeline viewer (screen shot) displays the timeline data in graph form.

Several features were added to make sure Autopsy was easy to use for non-technical users.

Wizards are used in several places to guide the user through common steps.

History is maintained so that the user can use back and forward buttons to back track after they have gone down an investigation path.

Previous settings are often saved with the modules so that you can more easily analyze the next image with the same settings as the last image.

Autopsy's default view is a simple interface where all of the analysis results can always be found in a single tree on the left(screen shot).
When the examiner is looking for something, he should immediately
review the tree. He doesn't have to dig through menus or layers of tabs
to find the information.

Autopsy tries to be non-invasive with popups and messages from the
background tasks that are running. The motivation for this is that you
could be focusing on an investigation path based on some web activity or
keyword search results. By having to deal with messages from background
ingest modules, you could get distracted. The ingest inbox is
where modules send messages. You can then open the inbox when you are
ready to see the results, review what has been found since you last
opened it, and choose which results to start focusing on.

No comments:

Post a Comment

About Me

I have been working for Indonesian Police Forensic Laboratory Centre (Puslabfor Bareskrim Polri) since 1997. My current job is the Chief of Computer Forensic Sub-Department. I have core duties to handle digital forensic investigation and analysis on electronic and digital evidence. I am the pioneer of developing computer forensic capabilities at Puslabfor Bareskrim Polri which was started in around 2000. Last year, in 2012 I and my team successfully investigated and analyzed 488 items of evidence which came from 81 cases of computer crime and computer-related crime.
In 2012 I wrote a book with the title "Digital Forensic: Practical Guidelines for Forensic Investigation". Its contents is mostly from knowledge and science I got from joining the MSc in Forensic Informatics at the University of Strathclyde, in the UK in 2008/2009 through the Chevening Scholarships. In 2010, the British Council in Indonesia gave me a prestigious award as one of "The Super Six UK Alumni".